1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Thursday 25 March 2004 02:45, Robin H. Johnson wrote: |
5 |
> OK, after reading this entire thread, I've been thinking about a |
6 |
> usable implementation from both the administrative and developer |
7 |
> perspective. One of the most important things to remember in designing |
8 |
> this, is that while you can prevent damage from most individual |
9 |
> attacks, no system in existence can withstand a multi-faceted all-out |
10 |
> assault. |
11 |
> |
12 |
> Goals: |
13 |
> ------ |
14 |
> - protect against compromised developer box / rogue developer |
15 |
> - protect against compromised rsync server |
16 |
> |
17 |
> Required operations: |
18 |
> -------------------- |
19 |
> 1. add a key to trusted list |
20 |
> 2. remove a key from trusted list |
21 |
> 3. verify that a package has not been tampered with |
22 |
> 4. sign a package |
23 |
5. Make sure that people do not have an old trusted list which has |
24 |
compromised keys on it |
25 |
6. Ensure that a compromise of the key(s) signing the trusted list can be |
26 |
handled without requiring users to build up the trust from start. |
27 |
7. Handle a case in which a developer leaves the project (and his key |
28 |
removed from the list for signatures after some time) without |
29 |
invalidating snapshots that legally contain signatures from him/her. |
30 |
|
31 |
> |
32 |
> General idea: |
33 |
> ------------- |
34 |
> we have a list (single file) distributed via rsync with all of keyids |
35 |
> known good for signing manifests. this file is must also signed, with |
36 |
> at least one (two or three required for more security) master key that |
37 |
> has it's public part widely published and it's private part kept |
38 |
> secure. the verifiable signatures on the trust list make it trusted. |
39 |
> The signature for the list should be available individually so that it |
40 |
> can be checked frequently by portage for changes (and if it has |
41 |
> changed, download the list again). Some other users have suggested |
42 |
> using expiry times in various ways but that ignores the fact that a |
43 |
> portage tree snapshot taken in a known good state remains in that |
44 |
> known good state until altered. |
45 |
|
46 |
For rsync we want to verify at *sync time* that the list has a recent |
47 |
signature. While a second channel can increase security, I think relying |
48 |
on it is wrong. Because of that if the signing key has a lifetime of a |
49 |
day it would mean that the rsync list will become invalid after this |
50 |
day. To make sure that the repository on the local machine will stay |
51 |
valid we can have portage add a local signature of list that verifies |
52 |
that the list was valid at the moment of syncing. (or without a |
53 |
signature verify that the time of the last sync was within the validity |
54 |
time of the key) |
55 |
|
56 |
The lifetime of the signature on the list is needed for the following |
57 |
case: |
58 |
- - The hacker has access to an rsync mirror |
59 |
- - The hacker has access to the private key that is on the list |
60 |
- - The hacker can do a DOS on the second channel (or has access to it) |
61 |
|
62 |
As the hacker has access to the rsync mirror he can prevent updates of |
63 |
the list that would invalidate his key. |
64 |
As the hacker can perform a DOS on the second channel a user cannot know |
65 |
that the second channel signature on the list has changed. |
66 |
The private key is used to sign malicious code that compromises gentoo |
67 |
machines (that can be used in the DOS) |
68 |
|
69 |
> Signing a package: |
70 |
> ------------------ |
71 |
> manifests are signed as clear-text INSIDE the Manifest file (my |
72 |
> prototype already did this). this is important not to bloat the tree |
73 |
> with more files. This also allows multiple signatures on a Manifest |
74 |
> (basically it just nests). add a command to repoman, 'repoman sign' |
75 |
> that signs a manifest and have repoman commit check that a valid |
76 |
> signature is present before committing (and automatically does the |
77 |
> sign stage on commit if required). |
78 |
> |
79 |
> to add a key to the trusted list: |
80 |
> --------------------------------- |
81 |
> 1. add keyid into list |
82 |
> 2. resign modified list with all required master keys |
83 |
> |
84 |
> to remove a key from the trusted list: |
85 |
> -------------------------------------- |
86 |
> 1. remove keyid from list |
87 |
> 2. resign modified list with all required master keys |
88 |
> |
89 |
> to verified that a package has not been tampered with: |
90 |
> ------------------------------------------------------ |
91 |
> 1. read in manifest file, check that the signature(s) are valid. |
92 |
> 2. grab the keyid(s) that it was signed with, and compare them against |
93 |
> the trusted list (and optionally a LOCAL list for users to have their |
94 |
> own trusted key structure) |
95 |
> |
96 |
> users can specify how many signatures a package needs to have for them |
97 |
> to trust it, eg a really paranoid user may require each manifest has |
98 |
> at least 3 signatures. |
99 |
|
100 |
This is all correct. My only concern are the keys used for signing the |
101 |
trusted list. My opinion is that the only strategy for the list of |
102 |
trusted keys is that it should become invalid unless something is done. |
103 |
This could indeed end up in a DOS on users, but it is to be preferrable |
104 |
to having a blockage end up in compromise on users. |
105 |
|
106 |
For packaged snapshots (tarballs of portage trees, like used with |
107 |
emerge-webrsync) we can have extra signatures that verify that the whole |
108 |
tarball is valid which would then bypass the lifetime of the signing key |
109 |
of the key list. |
110 |
|
111 |
Case 4: |
112 |
The list signing key is compromised: |
113 |
A security announcement needs to be made. The proposal as made by robbat2 |
114 |
would require that users acquire in some trusted way a new list signing |
115 |
public key. |
116 |
In my idea with a master and a list signing key (or multiple ones for |
117 |
different machines), the master key would be able to prove that the new |
118 |
list signing key is valid. As the list signing key is shortlived it |
119 |
would also be less advantageous to compromise the list. |
120 |
|
121 |
(we could have devrel people monitor the changes to the contents of the |
122 |
list so a compromise to the list signing key is easilly detected) |
123 |
|
124 |
Case 5: |
125 |
The master key (in my proposal) is compromised: |
126 |
This would suck big time. However as this master key is infrequently |
127 |
(especially with an intermediate key) used it can be secured by storing |
128 |
it on a usb key (and available to only a few people) which is only used |
129 |
when signing keys need to be signed. |
130 |
|
131 |
> Plan for incremental implementation: |
132 |
> ------------------------------------ |
133 |
> 1. roll out portage with a cleaned up version of my prototype for |
134 |
> repoman and simple verification code for manifests ONLY. |
135 |
> 2. create the trusted list and roll out a portage with support for it. |
136 |
|
137 |
Agreed completely. |
138 |
|
139 |
Let me lay out again what I would propose (I will not discuss signing the |
140 |
packages or verification) |
141 |
|
142 |
- - We have a master key on a USB flash key managed by drobbins. |
143 |
|
144 |
- - We have N monthly intermediate keys that are signed by the master key |
145 |
(so the master key would only be needed once per month) |
146 |
|
147 |
- - These intermediate keys are distributed to N different computers. |
148 |
|
149 |
- - The N different computers daily generate a signing key with a one day |
150 |
lifetime. Each signing key is signed by the intermediate key belonging |
151 |
to this computer. |
152 |
|
153 |
- - The N different computers immediately after generating the signing key |
154 |
use it to sign the key list. |
155 |
|
156 |
- - The public key of the N signing keys are made public in the tree where |
157 |
it is used |
158 |
|
159 |
- - The secret key of the N signing keys can be forgotten immediately after |
160 |
signing the key list, so the secret keys have a lifetime less than 5 |
161 |
minutes |
162 |
|
163 |
At rsync time the following happens: |
164 |
|
165 |
- - The client computer checks the current date/time |
166 |
|
167 |
- - The rsync gets performed |
168 |
|
169 |
- - The current time is recorded in a file |
170 |
|
171 |
At list verification time the following happens. |
172 |
|
173 |
- - The amount of signing keys is verified (in an unspecified way) |
174 |
|
175 |
- - If the last rsync is longer ago than M days a warning is given to the |
176 |
user |
177 |
|
178 |
- - The N signing key signatures are verified to come from the N |
179 |
intermediate keys |
180 |
|
181 |
- - The N intermediate keys are verified to the master public key |
182 |
|
183 |
- - The validity period of all signing keys (which are provided by rsync) |
184 |
is compared to the recorded rsync time. |
185 |
|
186 |
- - When all signing public keys have been found to be valid they are used |
187 |
to verify the key list. |
188 |
|
189 |
The the biggest issue is the security of the intermediate private keys. |
190 |
They need to be machine useable so either the passphrase must be stored |
191 |
on those machines, or there would to be an empty passphrase. For this it |
192 |
might be possible to use gpg-agent to ensure that access to the secret |
193 |
key file would not mean that the key would be compromised. The use of N |
194 |
different machines that generate signing keys might be a way to lessen |
195 |
this risk. |
196 |
|
197 |
Paul |
198 |
|
199 |
- -- |
200 |
Paul de Vrieze |
201 |
Gentoo Developer |
202 |
Mail: pauldv@g.o |
203 |
Homepage: http://www.devrieze.net |
204 |
-----BEGIN PGP SIGNATURE----- |
205 |
Version: GnuPG v1.2.4 (GNU/Linux) |
206 |
|
207 |
iD8DBQFAYrqObKx5DBjWFdsRAsmJAKCyW2DG1Q9YjA1Y/9QSNZPU8+4aWACeOcDZ |
208 |
KrDzFQxJjKBrO2BZ2vhz8II= |
209 |
=EyxJ |
210 |
-----END PGP SIGNATURE----- |
211 |
|
212 |
-- |
213 |
gentoo-dev@g.o mailing list |